COPYandPAY

For users of COPYandPAY, minimal additional effort is required compared to the current integration. The workflow is identical to the current 3D Secure 1.0 implementation. The widget will handle the entire additional communication and will be responsible for collecting required browser based information automatically. Following data must be collected by the merchant and send in via

Server/Server, create checkoutId
being collected by adding additional input fields to the payment widget (see here)

Field name	Mandatory/Optional	Source when using the widget
billing.city	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)
billing.country	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)
billing.street1	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)
billing.postcode	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)
customer.email	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)
card.holder	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)

Server to Server

For users who are integrating via server to server will need to follow EMVCo's guidelines on the frontend integration. Please follow the steps described below:

Prepare your front-end and follow EMVCo's recommendation (see Section 4 "EMV 3-D Secure User Interface Templates, Requirements, and Guidelines" here) on how the authentication window should be shown in the webshop (eg. in and iframe or in a lightbox).
Prepare your back-end and send following additional information along with the payment information:

Field

API Field name

Description

Length/Format/Values

Accept header

customer.browser.acceptHeader

HTTP accept header sent from the cardholder's browser.

Length: Variable, maximum 2048 characters JSON Data Type: String Value accepted: If the total length of the accept header sent by the browser exceeds 2048 characters, the 3DS Server truncates

Language

customer.browser.language

The cardholder's browser language.

Length: Variable, 1–8 characters JSON Data Type: String

Screen height

customer.browser.screenHeight

This field contains the total height of the cardholder's screen in pixels.

Length: Variable, 1–6 characters JSON Data Type: String

Screen width

customer.browser.screenWidth

This field contains the total width of the cardholder's screen in pixels.

Length: Variable, 1–6 characters JSON Data Type: String

Browser timezone

customer.browser.timezone

This field contains the cardholder's browser local timezone.

Length: 1–5 characters JSON Data Type: String Value accepted: Value is returned from the getTimezoneOffset() method.

User agent

customer.browser.userAgent

This field contains the exact content of the HTTP User-Agent header.

Length: Variable, maximum 2048 characters JSON Data Type: String Value accepted: Note: If the total length of the User-Agent sent by the browser exceeds 2048 characters, the 3DS Server truncates the excess portion.

IP address

customer.ip

IP address of the cardholder's browser.

Length: Variable, maximum 45 characters JSON Data Type: String Value accepted: IPv4 address is represented in the dotted decimal format of 4 sets of decimal numbers separated by dots. The decimal number in each and every set is in the range 0 to 255. Example IPv4 address: 1.12.123.255 IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets. The groups are separated by colons (:). Example IPv6 address:2011:0db8:85 a3:0101:0101:8a2e:03 70:7334

Java enabled

customer.browser.javaEnabled

true/false - Ability of the cardholder's browser to execute Java.

JSON Data Type: Boolean Values accepted: • true • false

Javascript enabled

customer.browser.javascriptEnabled

true/false - Ability of the cardholder's browser to execute JavaScript

JSON Data Type: Boolean Values accepted: • true • false

Screen color depth

customer.browser.screenColorDepth

This field contains a value representing the bit depth of the color palette, in bits per pixel, for displaying images.

Length: 1–2 characters JSON Data Type: String Values accepted: 1 = 1 bit • 4 = 4 bits • 8 = 8 bits • 15 = 15 bits • 16 = 16 bits • 24 = 24 bits • 32 = 32 bits • 48 = 48 bits

Authentication window size

customer.browser.challengeWindow

Size of the authentication iframe which will render the ACS authentication front-end to the shopper for interaction.

Please send an Integer between 1-5. The integer corresponds to one the following resolutions:

1	2	3	4	5
250 x 400	390 x 400	500 x 600	600 x 400	Full screen

Server to Server Examples

Request

authentication.entityId=8ac7a49f6e4a18ae016e4b8b4c4b2146
amount=12.00
currency=EUR
paymentBrand=VISA
paymentType=PA
merchantTransactionId=order99234
transactionCategory=EC
card.number=4000000000000010
card.expiryMonth=12
card.expiryYear=2025
card.cvv=123
card.holder=John Smith
merchant.name=MerchantCo
merchant.city=Munich
merchant.country=DE
merchant.mcc=5399
shopperResultUrl=https://merchant.org
customer.ip=192.168.0.1
customer.browser.acceptHeader=text/html
customer.browser.screenColorDepth=48
customer.browser.javaEnabled=false
customer.browser.javascriptEnabled=true
customer.browser.language=de
customer.browser.screenHeight=1200
customer.browser.screenWidth=1600
customer.browser.timezone=60
customer.browser.challengeWindow=4
customer.browser.userAgent=Mozilla/4.0 (MSIE 6.0; Windows NT 5.0)
testMode=EXTERNAL

Intermediate Response

{
    "id": "8ac7a4a0686138d701687eebfbc74747",
    "paymentType": "DB",
    "paymentBrand": "VISA",
    "result": {
        "code": "000.200.000",
        "description": "transaction pending"
    },
    "resultDetails": {
        "clearingInstituteName": "CI_Test"
    },
    "card": {
        "bin": "411111",
        "last4Digits": "1111",
        "holder": "Jane Jones",
        "expiryMonth": "05",
        "expiryYear": "2020"
    },
    "redirect": {
        "url": "https://eu-test.oppwa.com/v1/threeDSecure/execute",
        "parameters": [{
            "name": "name",
            "value": "value"
        }],
        "preconditions": [{
            "origin": "iframe#hidden",
            "waitUntil": "iframe#onload",
            "description": "Hidden iframe post for 3D Secure 2.0",
            "method": "POST",
            "url": "methodURL",
            "parameters": [{
                "name": "threeDSMethodData",
                "value": "methodData"
            }]
        }]
    },
    "risk": {
        "score": "100"
    },
    "buildNumber": "deebd8c9af7d84ddee98c38b7f4afcc814012b5b@2019-01-22 13:58:00 +0000",
    "timestamp": "2019-01-24 08:13:41+0000",
    "ndc": "8a8294174b7ecb28014b9699220015ca_0557df43f75643d19479440642979e00"
}

Final Response

{
  "id":"8ac7a49f6e4a18ae016e4b8b4c4b2146",
  "paymentType":"PA",
  "paymentBrand":"VISA",
  "amount":"12.00",
  "currency":"EUR",
  "result":{
    "code":"000.100.112",
    "description":"Request successfully processed in 'Merchant in Connector Test Mode'"
  },
  "resultDetails":{
    "ExtendedDescription":"Approved",
    "AcquirerResponse":"00",
  },
  "card":{
    "bin":"400000",
    "last4Digits":"0044",
    "expiryMonth":"12",
    "expiryYear":"2025"
  },
  "threeDSecure":{
    "eci":"05",
    "verificationId":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
    "version":"2.1.0",
    "dsTransactionId":"91caca63-5c4e-4aa2-a3f1-b4d418972de8",
    "acsTransactionId":"7055d78e-eb35-46e7-8c4e-56e15092b5f5",
  },
  "buildNumber":"7810ceecdd913cd9c4807becb99b89ce68454900@2019-11-08 12:20:52 +0000",
  "timestamp":"2019-11-08 15:05:42+0000",
  "ndc":"8ac7a4c76dd857ea016dda2ea6970684_3ba4c7691f854354906b2f6c402840e7"
}

How to handle the responses

Open a hidden iframe and post data to the methodURL

Method Data and Method URL are not always returned. This is an optional step, but if it's returned it's important to handle it properly.

<form name='' action='preconditions.url' method='POST'>
    <INPUT type='hidden' name='preconditions.parameters[].name' value='preconditions.parameters[].value'>
</form>
<script>
    window.onload = submitForm;
    function submitForm() { downloadForm.submit(); }
</script>

Redirect the shopper within and iframe to the redirect URL if onLoad event received from 1.

<form name='' action='redirect.URL' method='POST'>
    <INPUT type='hidden' name='redirect.parameters[].name' value='redirect.parameters[].value'>
</form>
<script>
    window.onload = submitForm;
    function submitForm() { downloadForm.submit(); }
</script>

Fields required for 3D Secure 2

Please note that in order to have a better rate of successful risk-checks during the risk based authentication, it is recommended to send as many fields as possible. This will positively affect the number of frictionless flows.

Source is the cardholder or cardholder's environment

Field name	Mandatory/Optional	Source when using the widget	Source when integrating via Server-to-Server API	Format, Length
card.expiryMonth	Mandatory	Cardholder (via widget)	Cardholder (via API)	Length: 2 characters Format: numeric
card.expiryYear	Mandatory	Cardholder (via widget)	Cardholder (via API)	Length: 4 characters Format: numeric
card.number	Mandatory	Cardholder (via widget)	Cardholder (via API)	Length: Variable, 13-19 Format: numeric
billing.city	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, 2–45 characters Format: String with values accepted indicated below
billing.country	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: 2 characters Format: [A-Z]{2}
billing.street1	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 50 characters Format: String
billing.postcode	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 16 characters Format: String
customer.email	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 128 characters Format: String
card.holder	Required unless market or regional mandate restricts sending this information.	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, 2 - 45 characters Format: String
amount	Mandatory	Payment (via API)	Payment (via API)	Length: Variable, maximum 12 characters Format: Numeric with 2 minor units after the decimal point Example: 123.00
currency	Mandatory	Payment (via API)	Payment (via API)	Length: 3 characters Format: ISO 4217 A3 currency code
shipping.city	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 50 characters Format: String
shipping.country	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: 3 characters Format: ISO 3166-1 A2 country code
shipping.street1	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 50 characters Format: String
shipping.street2	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 50 characters Format: String
shipping.postcode	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 16 characters Format: String
shipping.state	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable: maximum 3 characters Format: Should be the country subdivision code defined in ISO 3166-2
billing.street2	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable, maximum 50 characters Format: String
billing.state	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable: maximum 3 characters Format: Should be the country subdivision code defined in ISO 3166-2
customer.phone	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable: maximum 20 characters Format: +ccc-nnnnnnnn Where: + sign is optional cc - country code, maximum 3 characters "-" - mandatory character nnnnnnnnnn - phone number without the country code, maximum 15 characters
customer.workPhone	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable: maximum 20 characters Format: +ccc-nnnnnnnn Where: + sign is optional cc - country code, maximum 3 characters "-" - mandatory character nnnnnnnnnn - phone number without the country code, maximum 15 characters
customer.mobile	Optional	Cardholder (via widget or API)	Cardholder (via API)	Length: Variable: maximum 20 characters Format: +ccc-nnnnnnnn Where: + sign is optional cc - country code, maximum 3 characters "-" - mandatory character nnnnnnnnnn - phone number without the country code, maximum 15 characters
customer.browser.acceptHeader	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, maximum 2048 characters Format: String
customer.browser.language	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, 1–8 characters Format: String Returned from navigator.language property.
customer.browser.screenHeight	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, 1–6 Format: Numeric Value is returned from the screen.height property
customer.browser.screenWidth	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, 1–6 Format: Numeric Value is returned from the screen.width property
customer.browser.timezone	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, 1–5 characters Format: Numeric Value is returned from the getTimezoneOffset() method.
customer.browser.userAgent	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, maximum 2048 characters Format: String
customer.ip	Optional	Automatically collected by the widget	Merchant should collect and send via API	Length: Variable, maximum 45 characters Format: IPv4 address Example: 1.12.123.255
customer.browser.javaEnabled	Mandatory when customer.browser.javascriptEnabled = true; otherwise Optional	Automatically collected by the widget	Merchant should collect and send via API	Values accepted: • true • false Value is returned from the navigator.javaEnabled property.
customer.browser.javascriptEnabled	Mandatory	Automatically collected by the widget	Merchant should collect and send via API	Values accepted: • true • false
customer.browser.screenColorDepth	Optional	Automatically collected by the widget	Merchant should collect and send via API	Length: 1–2 characters Format: String Values accepted: • 1 = 1 bit • 4 = 4 bits • 8 = 8 bits • 15 = 15 bits • 16 = 16 bits • 24 = 24 bits • 32 = 32 bits • 48 = 48 bits
customer.browser.challengeWindow	Optional	Automatically collected by the widget	Merchant should collect and send via API	Length: 2 characters Values accepted: • 01 = 250 x 400 • 02 = 390 x 400 • 03 = 500 x 600 • 04 = 600 x 400 • 05 = Full screen
threeDSecure.amount	Optional	Sent via the API	Sent via the API	Length: Variable, maximum 12 characters Format: Numeric with 2 minor units after the decimal point Example: 123.00
threeDSecure.currency	Optional	Sent via the API	Sent via the API	Length: 3 characters Format: ISO 4217 A3 currency code

Merchant related fields configured in the gateway

Field name	Mandatory/Optional	Comment
Merchant category code	Mandatory
Merchant country code	Mandatory
Merchant name	Mandatory	Merchant name assigned by the Acquirer or Payment System.
Merchant ID	Mandatory	Acquirer-assigned Merchant identifier.
Requestor ID	Mandatory	DS assigned 3D Secure Requestor identifier.
Requestor Name	Mandatory	DS assigned 3D Secure Requestor name.
Requestor URL	Mandatory	Fully qualified URL of 3D Secure Requestor website or customer care site.

Authentication amount and currency

In some cases the amount and/or currency that is used in the authentication can be different from the one that will be used in the payment later. For example the payment amount might not be known at the time of the authentication, or the merchant would like to authenticate the shopper for the full amount when the payment will be done in multiple installments.

If the authentication amount and the payment amount are different, then the authentication amount and currency can be sent in a separate field:

threeDSecure.amount	Amount for which the shopper will be authenticated for.
threeDSecure.currency	Currency for which the shopper will be authenticated for.

Please note that payment amount and currency are still mandatory fields for any payment request. If there are no authentication amount and currency defined then the shopper will be authenticated with the payment amount and currency.

Additional settings

3DS Challenge Indicator and MIT agreements

The merchants have the possibility to set the preference of a transaction being challenged or not. This is only a preference, and won't guarantee that the issuer will or will not request a challenge from the cardholder. It is up to the issuer to consider the merchant's preference during the risk assessment of the transaction. As an example, regional mandates might require transactions to be challenged and the merchant should ask for a mandated challenge. Thus the merchants have the option to send the field threeDSecure.challengeIndicator with one of the following values: Send the field threeDSecure.challengeIndicator with one of the following values:

Value	Challenge Preference	Description
01	No preference	The merchant has no preference, and fully trust the issuer to ask a challenge from the cardholder.
02	No challenge requested	The merchant prefers that the cardholder is not authenticated by the issuer, and only the frictionless flow applies
03	Challenge requested: 3D Secure Requestor Preference	The merchant prefers that the cardholder is authenticated by the issuer.
04	Challenge requested: Mandate	The cardholder authentication is mandated (eg. by regional mandates) Note: Merchants performing recurring payments are required to have a merchant-initiated transaction (MIT) agreement with the cardholder. This grants the merchant permission to store the cardholder's card data for future transactions when the cardholder is not present. The following requirements apply to these MIT agreements: MIT agreements must have an originating cardholder-initiated transaction (CIT). The initial CIT payment request must go through strong customer authentication (SCA). Scheme regulations mandate that merchants must populate threeDSecure.challengeIndicator with value 04 when sending the initial CIT; this forces the issuer to apply SCA. If these requirements are not met, merchants are likely to experience payment failures for future MIT requests as a result of SCA not being applied.
05	No challenge requested	Transactional risk analysis is already performed Note: Only available in 3DS 2.2
06	No challenge requested	Data share only Note: Only available in 3DS 2.2
07	No challenge requested	Strong consumer authentication is already performed Note: Only available in 3DS 2.2
08	No challenge requested	Utilize whitelist exemption if no challenge required Note: Only available in 3DS 2.2
09	Challenge requested	Whitelist prompt requested if challenge required Note: Only available in 3DS 2.2

Note: For initial 3DS 2 CIT payment requests and any 3DS 2 transactions with field createRegistration set to true, field ChallengeIndicator will be populated a default value of "04 - Challenge Requested Mandate". This default value will only be populated if the merchant has not populated this field themselves; any merchant-provided values will not be overridden.

Information about the cardholder's account and history with the merchant

The following fields are not mandatory, but it is strongly recommended to send them. They are affecting the accuracy of the issuer's risk check, and will result in more frictionless flows.

The field values below can be collected by the 3D Secure Requestor* about the cardholders activity on their webshop.

*3D Secure Requestor denotes the merchant

Field name

Description

customParameters[ReqAuthMethod]

Method used by the Cardholder to authenticate to the 3D Secure Requestor.

Contains optional information about how the cardholder authenticated during login to their 3D Secure Requestor account.

Possible values are:

01	No authentication occurred (i.e. cardholder "logged in" as guest)
02	Login to the cardholder account at the merchant system using cardholder's own credentials
03	Login to the cardholder account at the merchant system using federated ID
04	Login to the cardholder account at the merchant system using issuer credentials
05	Login to the cardholder account at the merchant system using third-party authentication
06	Login to the cardholder account at the merchant system using FIDO Authenticator

customParameters[ReqAuthTimestamp]

Date and time in UTC of the cardholder authentication. Accepted date format is YYYYMMDDHHMM.

Part of the 3D Secure Requestor Authentication Information which contains optional information about how the cardholder authenticated during login to their account.

customParameters[PriorAuthMethod]

Mechanism used by the Cardholder to previously authenticate to the 3D Secure Requestor.

Contains information about a 3D Secure cardholder authentication that occurred prior to the current transaction.

Possible values are:

01	Frictionless authentication occurred by ACS
02	Cardholder challenge occurred by ACS
03	ACS verified
04	Other issuer methods

customParameters[PriorAuthTimestamp]

Date and time in UTC of the prior cardholder authentication. Accepted date format is YYYYMMDDHHMM.

Contains information about a 3D Secure cardholder authentication that occurred prior to the current transaction.

customParameters[PriorReference]

This data element provides additional information to the ACS to determine the best approach for handling a request. It contains an ACS Transaction ID for a prior authenticated transaction (for example, the first recurring transaction that was authenticated with the cardholder).

Contains information about a 3D Secure cardholder authentication that occurred prior to the current transaction.

customParameters[PriorAuthData]

This data element contains DS Transaction ID for a prior authenticated transaction as a part of a 3DS Requestor Initiated (3RI) transaction and an AAV Refresh transaction. This parameter helps to improve the ACS chances of approving the transaction linked to a previously authenticated transaction. An AAV Refresh transaction in 3DS 2.1 request must populate the DS Transaction ID of the original authentication transaction that is being refreshed.

Format of the 3DS Requestor Prior Transaction Authentication Data is defined in a JSON Data Type: String. Example: customParameters[PriorAuthData]=dsTransID: 9aed2dc3-4473-4bb8-a763-7bac4b40de3a. It allows up to 2048 characters. Incorrectly formatting could result in processing error.

customParameters[AAVRefresh]

Mastercard generates an Account holder Authentication Values (AAV) for every successfully authenticated payment transaction since 3DS 2.1. Mastercard retention and validity period for an AAV is 10-90 days. AAV Refresh capability allows merchants to request a ‘refreshed’ AAV using a non-payment (NPA) request from the issuer ACS for their previously fully authenticated transaction. Send DS Transaction ID of previously authenticated transaction in customParameters[PriorAuthData].

Possible values: true/false

customParameters[AccountId]

Additional information about the account optionally provided by the 3D Secure Requestor in AReq messages.

customParameters[AccountAgeIndicator]

Length of time that the cardholder has had the account with the 3D Secure Requestor.

Possible values are:

01	No account (guest check-out)
02	Created during this transaction
03	Less than 30 days
04	30-60 days
05	More than 60 days

customParameters[AccountChangeDate]

Date that the cardholder's account with the 3D Secure Requestor was last changed. Accepted date format is YYYYMMDD.

customParameters[AccountChangeIndicator]

Length of time since the cardholder's account information with the 3D Secure Requestor was last changed.

Possible values are:

01	No account (guest check-out)
02	Created during this transaction
03	Less than 30 days
04	30-60 days
05	More than 60 days

customParameters[AccountDate]

Date that the cardholder opened the account with the 3D Secure Requestor. Accepted date format is YYYYMMDD.

customParameters[AccountPasswordChangeDate]

Date that cardholder's account with the 3D Secure Requestor had a password change or account reset. Accepted date format is YYYYMMDD.

customParameters[AccountPasswordChangeIndicator]

Indicates the length of time since the cardholder's account with the 3D Secure Requestor had a password change or account reset.

Possible values are:

01	No account (guest check-out)
02	Created during this transaction
03	Less than 30 days
04	30-60 days
05	More than 60 days

customParameters[AccountPurchaseCount]

Number of purchases with this cardholder account during the previous six months.

customParameters[AccountProvisioningAttempts]

Number of Add Card attempts for the account in the last 24 hours.

customParameters[AccountDayTransactions]

Number of transactions (successful and abandoned) for this cardholder account with the 3D Secure Requestor across all payment accounts in the previous 24 hours.

customParameters[AccountYearTransactions]

Number of transactions (successful and abandoned) for this cardholder account with the 3D Secure Requestor across all payment accounts in the previous year.

customParameters[PaymentAccountAge]

Date that the payment account was enrolled in the cardholder's account with the 3D Secure Requestor. Accepted date format is YYYYMMDD.

customParameters[PaymentAccountAgeIndicator]

Indicates the length of time that the payment account was enrolled in the cardholder's account with the 3D Secure Requestor.

Possible values are:

01	No account (guest check-out)
02	Created during this transaction
03	Less than 30 days
04	30-60 days
05	More than 60 days

customParameters[ShipAddressUsageDate]

Date when the shipping address used for this transaction was first used with the 3D Secure Requestor. Accepted date format is YYYYMMDD.

customParameters[ShipAddressUsageIndicator]

Indicates the length of time since the shipping address used for this transaction was first used with the 3D Secure Requestor.

Possible values are:

01	No account (guest check-out)
02	Created during this transaction
03	Less than 30 days
04	30-60 days
05	More than 60 days

customParameters[ShipIndicator]

Indicates shipping method chosen for the transaction. Merchants must choose the Shipping Indicator code that most accurately describes the cardholder's specific transaction, not their general business. If one or more items are included in the sale, the Shipping Indicator code for the physical goods is used, or if all digital goods, the Shipping Indicator code that describes the most expensive item.

Possible values are:

01	Ship to cardholder's billing address
02	Ship to another verified address on file with merchant
03	Ship to address that is different than the cardholder's billing address
04	"Ship to Store" / Pick-up at local store (Store address shall be populated in shipping address fields)
05	Digital goods (includes online services, electronic gift cards and redemption codes)
06	Travel and Event tickets, not shipped
07	Other (for example, Gaming, digital services not shipped, emedia subscriptions, etc.)

customParameters[ShipNameIndicator]

Indicates if the Cardholder Name on the account is identical to the shipping Name used for this transaction.

Possible values are:

01	Account Name identical to shipping Name
02	Account Name different than shipping Name

customParameters[SuspiciousAccountActivity]

Indicates whether the 3D Secure Requestor has experienced suspicious activity (including previous fraud) on the cardholder account.

Possible values are:

01	No suspicious activity has been observed
02	Suspicious activity has been observed

customParameters[TransactionType]

Identifies the type of transaction being authenticated.

Possible values are:

01	Goods / Service Purchase
03	Check Acceptance
10	Account Funding
11	Quasi-Cash Transaction
28	Prepaid Activation and Load

customParameters[DeliveryTimeframe]

Indicates the merchandise delivery timeframe.

Possible values are:

01	Electronic Delivery
02	Same Day Shipping
03	Overnight Shipping
04	Two-day or more shipping

customParameters[DeliveryEmailAddress]

For Electronic delivery, the email address to which the merchandise was delivered.

customParameters[ReorderItemsIndicator]

Indicates whether the cardholder is reordering previously purchased merchandise.

Possible values are:

01	First time ordered
02	Reordered

customParameters[PreOrderPurchaseIndicator]

Indicates whether Cardholder is placing an order for merchandise with a future availability or release date.

Possible values are:

01	Merchandise available
02	Future availability

customParameters[PreOrderDate]

For a pre-ordered purchase, the expected date that the merchandise will be available.
Date format = YYYYMMDD

customParameters[GiftCardAmount]

For prepaid or gift card purchase, the purchase amount total of prepaid or gift card(s) in major units (for example, USD 123.45 is 123).

customParameters[GiftCardCurrency]

For prepaid or gift card purchase, ISO 4217 three-digit currency code of the gift card.

customParameters[GiftCardCount]

For prepaid or gift card purchase, total count of individual prepaid or gift cards/codes purchased.

Response fields

In the returned response there are two places where 3D Secure related response values can be present. In the "threeDSecure" object we store the values that are not brand specific and can be returned by any card brand and issuer. In the "resultDetails" object we store the brand specific values if the scheme directory server returns such value.

Values returned in the threeDSecure object

Value	Description
eci	Payment System-specific value provided by the ACS or DS to indicate the results of the attempt to authenticate the Cardholder.
verificationId	Payment System-specific value provided by the ACS or the DS using an algorithm defined by Payment System. Authentication Value may be used to provide proof of authentication.
version	Version of the 3D Secure that was used for authentication
flow	Indicates the user flow that was applied during the authentication: challenge or frictionless
dsTransactionId	Universally unique transaction identifier assigned by the DS to identify a single transaction.
challengeMandatedIndicator	Indication of whether a challenge is required for the transaction to be authorised due to local/regional mandates or other variable.
authenticationType	Authentication approach that the ACS used to authenticate the Cardholder for this specific transaction.
acsTransactionId	This field contains a universally unique transaction identifier assigned by the ACS to identify a single transaction.

Example

"threeDSecure":{
    "eci":"05",
    "verificationId":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
    "version":"2.1.0",
    "flow":"challenge"
    "dsTransactionId":"1231-2342-3453-4564"
    "challengeMandatedIndicator":"Y"
    "authenticationType":"2"
    "acsTransactionId":"7777-8797-4645-1233"
  },

Values returned in the resultDetails object

Value	Returned for brand	Description
CB_Authentication_value_algorithm	Cartes Bancaires	Identifies the algorithm used by the ACS to calculate the Authentication Value. For example: 0 = HMAC (per SET stain); 1 = CVV; 2 = CVV with ATN; 3 = SPA AAC; A = AV-CB
CB_Score	Cartes Bancaires	Global score calculated by the Cartes Bancaires Scoring platform

Example

"resultDetails":{
    "ExtendedDescription":"Approved or completed successfully",
    "clearingInstituteName":"Clearing_Institute",
    "ConnectorTxID1":"12345",
    "AcquirerResponse":"00",
    "reconciliationId":"132499881"
    "CB_Authentication_value_algorithm":"2"
    "CB_Score":"55"
  },

New return codes

Two new return codes have been introduced in the 3DS 2.0 workflow:

300.100.100 - may be returned during the payment authorization. Indicates that the acquirer or the issuer declined the transaction due to SCA was not applied. This is a soft decline, and the appropriate action to take is to re-submit the transaction with 3D Secure, which will result in a challenge flow.
000.400.110 - Authentication successful (fricitionless flow). This may be returned during the authentication (3D Secure) flow, when the issuer authenticates the transaction solely based on the data received in the authentication request without the need for the cardholder to authenticate themselves
000.400.109 - Card is not enrolled for 3D Secure version 2. This code may be returned during the 3DS lookup request (PReq). If the card is not enrolled for 3DS 2.x, and the fallback to 3DS 1.0 is not enabled, then the transactions status will be 000.400.109

Parameters for merchants using 3rd party 3DS Server/MPI

If a merchant is using a third-party 3DS Server provider, and the API is used only for processing authorizations, then some additional parameters might be required:

Name

Parameter

Description

Directory Server transaction ID

threeDSecure.dsTransactionId

Transaction ID assigned by the directory server

3D Secure version

threeDSecure.version

Version of 3D (examples: 1.0.2, 2.1.0, 2.2.0 )

3DS Requestor Challenge Indicator

threeDSecure.challengeIndicator

Indicates whether a challenge is requested for this transaction. For example: a 3DS Requestor may have concerns about the transaction, and request a challenge. Allows 3DS Requestor to request a challenge such as to follow local/regional mandates or other variables. Possible values:

01	No preference
02	No challenge requested
03	Challenge requested: 3D Secure Requestor Preference
04	Challenge requested: Mandate

ACS Challenge mandate indicator

threeDSecure.challengeMandatedIndicator

Indication of whether a challenge is required for the transaction to be authorized due to local/regional mandates or other variable.

Authentication Type

threeDSecure.authenticationType

The type of authentication that was requested by the ACS.

01	Static
02	Dynamic
03	OOB
04	Decoupled

Exemption flag

threeDSecure.exemptionFlag

Flags the transaction as exemption during authorization. Possible values:

01	Low value exemption
02	TRA exemption
03	Trusted beneficiary exemption
04	Corporate card payment exemption

Transaction status reason

threeDSecure.transactionStatusReason

Provides information on why the Transaction Status field has the specified value.

ACS transaction ID

threeDSecure.acsTransactionId

This field contains a universally unique transaction identifier assigned by the ACS to identify a single transaction.

Authentication channel

threeDSecure.channel

The authentication channel indicator. Only provide to indicate 3RI request(Merchant initiated authentication), which is available as a feature in 3DS 2.2 for MasterCard only.

Exemptions

Exemptions are particular transactions that can be exempted from SCA, and they don't necessarily need explicit cardholder authentication. In a simpler way: they can be either authorized without previous authentication, or they will go though a frictionless flow during authentication which means the cardholder doesn't have authenticate themselves with the issuer.

These exemptions are transactions which are:

Low value
Low risk
Between cardholder and merchant, where the cardholder white-listed the merchant as a 'trusted beneficiary'
Made with a corporate card

Merchants can request an exemption by marking the transaction with the exemption flag. It is important to know, that in this case:

Merchant takes liability for the transaction
The issuer has the power to override the exemption request
Some acquirers may not allow certain exemptions for their merchants. Merchants should consult with their acquirers to which extent can they use the exemption flags.

Exemptions can be requested in 2 ways:

By sending the transaction directly to authorization with an exemption flag (no 3D Secure will be executed, and liability will be with the merchant).
By sending the transaction for authentication with an exemption flag (3D Secure will be attempted and the issuer will take the liability).

The usage of the threeDSecure.challengeIndicator is not necessary to request an exemption. But it can be used when the transaction is still going though 3D Secure processing, but the merchant wants to indicate their intention to the issuer.

Possible values for the threeDSecure.challengeIndicator and threeDSecure.exemptionFlag fields:

threeDSecure.challengeIndicator - should be used in the case when the transaction is sent to the issuer for authentication, but a challenge is not requested.

Value	Challenge preference	Description
01	No preference	The merchant has no preference, and fully trust the issuer to ask a challenge from the cardholder.
02	No challenge requested	The merchant prefers that the cardholder is not authenticated by the issuer, and only the frictionless flow applies
03	Challenge requested: 3D Secure Requestor Preference	The merchant prefers that the cardholder is authenticated by the issuer.
04	Challenge requested: Mandate	The cardholder authentication is mandated (eg. by regional mandates)
05	No challenge requested	Transactional risk analysis is already performed
06	No challenge requested	Data share only
07	No challenge requested	Strong consumer authentication is already performed
08	No challenge requested	Utilise whitelist exemption if no challenge required
09	Challenge requested	Whitelist prompt requested if challenge required

threeDSecure.exemptionFlag - to indicate the type of exemption requested. Used both in the exemption request during authentication and the authorization process.

Value	Exemption
01	Low value exemption
02	TRA exemption
03	Trusted beneficiary exemption
04	Corporate card payment exemption

Soft declines

If the exemption is requested via authorization, meaning that the 3D Secure call is skipped, the acquirer has the option to reject the exemption request. In this case the acquirer will 'soft decline' the transaction, which is indicated with the return code 300.100.100. The correct action to take is to re-send the transaction to 3D Secure authentication and after that to authorization with the authentication result.

The merchant has 2 options handling the soft decline:
1. The gateway can return the soft decline code, and let the merchant handle the workflow as they wish. 2. The gateway can automatically retry the transaction. If the transaction is retried after a soft decline, the 3D Secure authentication will always end up with a challenge flow for the customer.

Out of scope transactions

A certain group of transactions is out of scope from Strong Customer Authentication (SCA). This means, that these transactions can be sent to authorization directly and they will not be declined by the acquirer or the issuer with a soft decline. In order for a transaction to qualify as out of scope it is crucial to mark the transaction with the proper flags.

Transaction type	How to flag
Mail order or telephone order	Set the field transactionCategory to 'MO' or 'TO'
Recurring transactions	Set the field recurringType to standingInstruction.mode=REPEATED. This only applies for merchant initiated transactions (MIT), eg. subscription agreement between consumer and merchant.
Merchant Initiated Transactions	Set the field standingInstruction.source=MIT Acquirer specific parameter set also needs to be sent. Please refer to the individual Integration Sheets of the acquirer connection you are using.

Additional Features

EMV 3D Secure offers some additional features that were not available in earlier versions. These are optional features but offer a better and more flexible way for merchants to authenticate their customers.

Non-payment authentication (NPA)

Non-payment authentication (NPA in short) offers the option to authenticate the shopper even when there is no payment transaction happening and in cases when the transaction amount is not known. For example the cardholder wants to store their card for future payments but doesn't want to buy anything (card tokenization without payment). NPA offers an easy way for merchants to make sure that the cardholder is authenticated before the card is even tokenized.

There are multiple ways to initiate a non-payment authentication.

1. Authentication during registration
2. Standalone NPA

Authentication during registration

To perform a 3D Secure authentication before a card is tokenized, the feature should be enabled on the back-end. Please ask your technical support team to enable this functionality

Once it is activated, when the cardholder registers their card details, it will trigger a 3D Secure 2 authentication before the card registration.

Please note: if the transaction is an authorization (PA) where registration is enabled (by sending createRegistration=true), the 3D Secure authentication will be triggered for the payment transaction and not for the registration.

NPA for a payment transaction

You might want to perform an NPA without a registration. For example for an account verification transaction (zero-amount authorization). In this case there are no additional settings or parameters are required. Just make sure that 3D Secure 2 is enabled and NPA will be triggered automatically for zero amount PA payment types.

Additionally, NPA can be forced via an additional parameter. Even if the amount is not zero, if the parameter threeDSecure.npa=true is sent, it will trigger a NPA instead of a regular 3D Secure payment authentication with the payment amount. Please be aware that the authenticated amount should always be the same, or inside a 15% threshold of the payment amount. (Important note: schemes will reduce this threshold to 5% in the future.)

Note: if the amount=0.00 is sent, but threeDSecure.amount is greater than zero, then the 3D Secure authentication will use the amount from the threeDSecure.amount field.

Identity Check Insights / Data Only - MasterCard's authentication message category

Mastercard has defined a custom authentication message category called Identity Check Insights, formerly called Data Only. It provides the merchant with the flexibility to share cardholder data through the EMV® 3DS rails to influence an issuer’s decision to approve a transaction without requesting authentication and thus with no risk of cardholder challenge and added latency.

A normal authentication request is represented by message category 01 (payment) or 02 (non-payment), which result in the message to the ACS provider with liability shift. Identity Check Insights is requested using Mastercard message category value of 80 and it is not sent to the ACS provider, it is the MasterCard's Smart Authentication engine who generates the authnetication data, such as eci, AAV, dsTransactionId and provides back to the 3DS Server in the authentication response message.

To request an Identity Check Insights as a merchant, make sure you've configured Mastercard for 3D Secure 2 in the MPI type settins and send the following field with the OPP request:

3RI authentication

3RI authentication stands for 3DS Requestor Initiated Authentication. This is an authentication method where the cardholder is not present and the transaction is initiated by the merchant. This type of authentication is mainly used to get the status of an already authenticated transaction in case of delayed shipments.

To request a 3RI authentication as a merchant, send the following 2 fields with the request:

Decoupled authentication

Decoupled Authentication is an authentication method whereby authentication can occur independent from the cardholder’s experience with the 3DS Requestor (merchant). During decoupled authentication the shopper will not do the authentication during the challenge flow in the iframe on the merchant's website, but separately via a mobile application for example.

To request a decoupled authentication from the issuer, send the threeDSecure.decoupled=true field with the request.

Please be aware that not all issuers support decoupled authentication. In case it's not supported, the transaction will be authenticated with the normal workflow.

COPYandPAY

Server to Server

Server to Server Examples

How to handle the responses

Fields required for 3D Secure 2

Source is the cardholder or cardholder's environment

Merchant related fields configured in the gateway

Authentication amount and currency

Additional settings

3DS Challenge Indicator and MIT agreements

Information about the cardholder's account and history with the merchant

Response fields

New return codes

Parameters for merchants using 3rd party 3DS Server/MPI

Exemptions

Soft declines

Out of scope transactions

Additional Features

Non-payment authentication (NPA)

Authentication during registration

NPA for a payment transaction

Identity Check Insights / Data Only - MasterCard's authentication message category

3RI authentication

Decoupled authentication

Versions available